SSAB privacy statement

Last updated 16 April 2018

This Privacy Statement informs about processing of personal data by SSAB including its affiliates among others Tibnor and Ruukki ("SSAB"). It answers the questions what personal data SSAB collects, uses or shares, for what purposes the data is collected and what rights Users have. The Users can be SSAB’s customers, representatives of customer companies, potential customers or internet users visiting the website ("Users").

SSAB's website may contain links to websites and services of third parties. These websites or services are subject to their own privacy statements. SSAB does not take any responsibility of third parties’ privacy statements or processing of personal data in third parties’ operations. Please pay attention to their respective privacy statements and subsequent changes to them.

1. DATA CONTROLLER

The data controller in accordance with the applicable data protection law is SSAB AB (registration number: 556016-3429, address: P.O. Box 70, SE-101 21 Stockholm, Sweden) for all data processing on a corporate level, for example for marketing tools provided in all SSAB group companies. In SSAB, the primary contact for privacy matters is: e-mail: data.privacy(at)ssab.com

SSAB is responsible for ensuring that personal data is processed in compliance with this Statement and applicable data protection laws.

2. LEGAL BASIS AND PURPOSE OF PROCESSING PERSONAL DATA

SSAB processes personal data of the Users for various purposes, which are explained below.

2.1 Service provision

The main purpose of processing personal data is to provide the website and deliver SSAB's products and services. This processing of personal data is primarily based on contract with the User, including processing needed prior to entering into the customer relationship.

2.2 Marketing and communications

Users' personal data will be used to manage communication with Users and for marketing purposes. In this respect, the processing is based on SSAB's legitimate interest to provide Users with relevant and up-to-date information as part of the website. It is also based on SSAB's legitimate interest to promote SSAB's latest products and services as well as to personalize the User experience.

To some extent, marketing via electronic means is based on Users' prior consent, for example for sending marketing messages. Users should refer to section 6 below for further information about marketing communications and Users' rights in this respect.

2.3 Product and services development purposes

SSAB's goal is to provide high quality services and give Users relevant information about those services. Therefore, SSAB may use personal data to analyze the market, User groups, use of websites for the purpose of developing and improving the quality of the website and SSAB's products and services. This processing is based on SSAB's legitimate interest to grow and develop.

SSAB uses cookies and other similar techniques for statistical purposes, to compile anonymous, aggregated statistics that allows SSAB to understand how Users use the website and increase user-friendliness. Please see SSAB's Cookie Statement for further information.

2.4 Information security

SSAB may process technical data, including some personal data for information security purposes and fraud prevention. SSAB maintains information security measures to safeguard business information and business assets, to protect personal data, to avoid criminal activities and to ensure the availability of the websites and services. This processing is based on SSAB's legitimate interest to ensure an appropriate level of network and information security.

2.5 Processing of personal data internally within SSAB group

Users' personal data may be processed in other SSAB group companies. In this case, the processing of personal data is based on SSAB's legitimate interest to organize and manage customer relationships, marketing as well as information security measures within the group in an appropriate and practical way.

3. COLLECTION OF DATA

SSAB may collect personal data through different means, which are explained below.

3.1 Customer relationship

SSAB processes personal data for the purpose of maintaining a good customer relationship, for example when providing and delivering products or services and maintaining customer communications. This personal data is collected directly from the Users.
Depending on the Users' interaction, SSAB may collect the following personal data:

Basic information about the User, such as name, email address and phone number;

Information relating to customer relationship, such as products and services ordered, starting and end time of customer relationship;

Billing information, such as account numbers, payments made and outstanding and bills delivered; and

Customer communications.

3.2 User's interaction with SSAB on website or otherwise

SSAB may collect personal data when Users contact SSAB's customer service, use website chat, contact SSAB otherwise, order SSAB's newsletter or participate in surveys or competitions on websites or elsewhere. This personal data is collected directly from the Users.

SSAB may collect personal data that the User has shared with SSAB, such as

Basic information about the User, such as name, email address and phone number;

This technical data is collected automatically through the use of website and services.

3.4 Data collected from other sources

SSAB may, from time to time, also collect information from publicly available sources and third parties, such as social networks and marketing companies. For example, SSAB may receive basic information about the User's social network profile, if the User login to SSAB's website or services using social network account.

4. SHARING OF DATA

SSAB may disclose Users' personal data to the following third parties:

other SSAB group companies for the purposes listed above;

trusted services providers, such as distributors and marketing service providers for the purposes listed above. However, at all times, these trusted service providers act on SSAB's behalf and SSAB is responsible for the use of Users' personal data;

when permitted or required by law to comply with requests by competent public authorities such as subpoenas or similarly binding acts;

if SSAB is involved in a merger, acquisition, or sale of all or a portion of its assets; and

when SSAB believes in good faith that disclosure is necessary to protect SSAB's rights, protect Users' safety or the safety of others, investigate fraud, or respond to a government request.

5. TRANSFER OF PERSONAL DATA OUTSIDE OF EU/EEA

5.1 Intra-group transfers

As some of the SSAB group companies are located outside of the EU/EEA, User's personal data may be transferred outside of EU/EEA, such as to the United States. In this case SSAB will use the required established mechanisms that allow the transfer outside of EU/EEA, such as the Standard Contractual Clauses approved by the European Commission.

5.2 Service providers located outside of EU/EEA

SSAB may use subcontractors when providing the website or services. When necessary and to the extent required for the purpose of the website and the provision of the services, personal data may be transferred to a country outside of the EU/EEA. In this case SSAB will use the required established mechanisms that allow the transfer to subcontractors in those thirds countries, such as the Standard Contractual Clauses approved by the European Commission. SSAB will rely on the so-called Privacy Shield for those service providers located in the U.S that are Privacy Shield-certified. For more information about the Privacy Shield framework developed by the U.S. Department of Commerce and the EU Commission and the related principles concerning processing of personal data, please see here.

6. MARKETING COMMUNICATIONS

When a User provides SSAB with contact details, for example, in connection with a sale of product or service, contact SSAB's customer service, order a handbook or other materials on the website or participate in competitions, SSAB may use User's personal data for marketing purposes and to promote SSAB's latest products and services as well as to personalize the User experience. Users are given the opportunity to give their prior consent or in where applicable laws allow the opportunity to opt-out of receiving marketing communications from SSAB or other group companies.

6.1 eMarketing

SSAB may provide a User with product and service updates, newsletters and other communications about existing or new products and services by email and text message (SMS), if the User has given a prior consent or if SSAB has otherwise permitted to do so under applicable law.

A User may unsubscribe from marketing communications at any time by clicking on the "unsubscribe" link located on the bottom of emails.

6.2 Statistics and segregation

SSAB may create User group profiles or segment data for the purpose of creating anonymous, aggregated statistics about the use of SSAB's websites, products and services, such as to estimate number of Users, viewed pages, email reads and detect which parts of the website the Users find most useful, to identify features that could be improved and to provide context based advertising to User groups. Data collected for these purposes is not used to identify a particular User but to analyse how the Users in general or User groups use the website or services.

6.3 Targeted advertising

SSAB or SSAB's advertising partners may display content or advertisements to a User, for example, the User might see an advertisement for a recently viewed product on SSAB's website. SSAB uses cookies and other similar technologies to display personalised adverts based on, for example, User's browsing, purchase history or log-in information.

When SSAB collects or uses information about a User's web browsing for e-marketing purposes, the User has the right to object to this at any time by contacting SSAB. Regarding to the right to object please refer to section 8 below for further information.

7. RETENTION OF PERSONAL DATA

The personal data will be retained only for as long as necessary to fulfill the purposes defined in this Privacy Statement. After that personal data will be removed except when personal data retention is required by law or rights or obligations by either party.
Here are the main rules for the retention periods:

Personal data regarding customers will be retained during the customer relationship and after that as long as necessary or required by law or rights or obligations by either party, for example for billing purposes;

Data collected in connection with customer service, other interaction with SSAB, surveys and competitions will be retained as long as necessary to manage and handle the matter in question.

SSAB will delete or anonymise data used for marketing purposes after a reasonable period of time has lapsed from last contact between the User and SSAB, unless data retention is required by law or rights or obligations by either party.

Should a User have a concern about data retention for marketing purposes, User should refer to section 8 below for further information about Users' rights in this respect.

8. PRIVACY RIGHTS

A User has the right to access personal data that SSAB holds about him or her.

A user has the right to request to correct, update or remove their personal data at any time. However, please note that certain information is strictly necessary in order to fulfil the purposes defined in this Statement and may also be required by law. Therefore, the deletion of such data may not be allowed by applicable law, which prescribes mandatory retention periods.

A user has a right to object to processing, that is based on legitimate interest of SSAB on grounds relating to their particular situation at any time. To the extent required by applicable data protection law, Users have a right to restrict data processing.

A user has a right to data portability, i.e. the right to receive the personal data in a structured, commonly used machine-readable format and transmit the personal data to another data controller, to the extent required by applicable law. This applies only for personal data provided by the User based on customer contract or the User's consent.

Please send any requests regarding the above-mentioned rights to SSAB at [data.privacy(at)ssab.com].

If a User thinks there is a problem with the way SSAB is processing User's personal data, User has a right to file in a complaint to the national data protection authority in the EU/EEA.

9. SECURITY

SSAB maintains reasonable security measures, including physical, electronic and procedural measures, to protect personal data from loss, destruction, misuse, and unauthorized access or disclosure. For example, SSAB limits the access to this information to authorized employees and contractors who need to know that information in the course of their job description and third party service providers who may only process data in accordance with SSAB provided instructions.

Please be aware that, although SSAB endeavours to provide reasonable security measures for personal data, no security system can prevent all potential security breaches.

10. CHANGES TO THIS PRIVACY STATEMENT

SSAB may amend this Privacy Statement and the related information. SSAB recommends that the Users regularly access the Privacy Statement to obtain knowledge of any possible changes to it. SSAB will always provide the date of the Privacy Statement to allow the Users to see changes. Please note that this Privacy Statement is for information purposes only.
SSAB will inform Users of possible changes by using reasonable and available channels.

11. CONTACT SSAB

For requests regarding SSAB’s Privacy Statement or personal data SSAB holds about the User in question, please contact SSAB by email at [data.privacy(at)ssab.com].